I have a single application deployed several times to several countries which is secured using Azure Active Directory. I have a requirement that says, people should only have access to the application in their country. What is the best way to achieve this:
Create a new Azure AD application per country and use their respective client ID's in each country. This really increases the amount of config I have to deal with.
I'm already using Role Based Access Security (RBAC). I could create a role for each country e.g. Kenya, then have the Kenya instance of the application require the Kenya role.
Each country is not a separate organization, it's all one company, so I'm not sure using Azure AD multi-tenant applies to my use case.
Having multiple roles per country would probably be what I would go with. You can assign those country roles to AAD groups (if using a license that allows that), and through that also allow the future possibility of access to multiple instances. Of course if you are really sure that won't be necessary, then you can just assign users to the roles directly. The administrative workload is so much smaller that this is what I would go with. The only thing of course is that you will have to add all the reply URLs of all instances to the one app, instead of one in multiple apps.
One downside of the role-based approach is that it becomes a bit difficult to have other roles within the app, e.g. if you wanted to have a Kenya Admin role.
Creating an app per country seems slightly overkill, but it would have some advantages. Firstly, if needed, a user could be assigned to multiple apps to get access to multiple countries (and without paid licenses of AAD). App creation could be automated with a script. The main configuration you would have to have for each deployment would be the client id and secret. But a major downside is that if you need to e.g. add a permission to an API, you would have to add it to each app, and then consent it on each app.
Multi-tenant would mean that in addition to having different client ids and secrets, your users would have to be added to different Azure ADs. The isolation would be great, but this definitely incurs the highest amount of administrative work.